CVE-2026-0861: Check for alignment overflow in memalign functions

Resolves: RHEL-141739
2026-02-12 15:21:33 +01:00 · 2026-02-12 15:21:33 +01:00 · 949d465bf8
commit 949d465bf8
parent 9520284df9
1 changed files with 86 additions and 0 deletions
--- a/glibc-RHEL-141739.patch
+++ b/glibc-RHEL-141739.patch
@ -0,0 +1,86 @@
+commit c9188d333717d3ceb7e3020011651f424f749f93
+Author: Siddhesh Poyarekar <siddhesh@gotplt.org>
+Date:   Thu Jan 15 06:06:40 2026 -0500
+
+    memalign: reinstate alignment overflow check (CVE-2026-0861)
+
+    The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the
+    overflow check for alignment in memalign functions, _mid_memalign and
+    _int_memalign.  Reinstate the overflow check in _int_memalign, aligned
+    with the PTRDIFF_MAX change since that is directly responsible for the
+    CVE.  The missing _mid_memalign check is not relevant (and does not have
+    a security impact) and may need a different approach to fully resolve,
+    so it has been omitted.
+
+    CVE-Id: CVE-2026-0861
+    Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206
+    Reported-by: Igor Morgenstern, Aisle Research
+    Fixes: BZ #33796
+    Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
+
+Conflicts:
+	malloc/malloc.c
+	  (old checked_request2size interface downstream)
+
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index fe80b8239756a7c9..8d2ede60d93e433f 100644
+--- a/malloc/malloc.c
+++ b/malloc/malloc.c
+@@ -4815,7 +4815,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+ 
+ 
+ 
+-  if (!checked_request2size (bytes, &nb))
+  if (!checked_request2size (bytes, &nb) || alignment > PTRDIFF_MAX)
+     {
+       __set_errno (ENOMEM);
+       return NULL;
+@@ -4826,8 +4826,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+      request, and then possibly free the leading and trailing space.
+    */
+ 
+-  /* Call malloc with worst case padding to hit alignment. */
+-
+  /* Call malloc with worst case padding to hit alignment.  ALIGNMENT is a
+     power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of
+     space to add MINSIZE and whatever checked_request2size adds to BYTES to
+     get NB.  Consequently, total below also does not overflow.  */
+   m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
+ 
+   if (m == 0)
+diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c
+index 328b4a2a4fd72cf4..593381520c40cb84 100644
+--- a/malloc/tst-malloc-too-large.c
+++ b/malloc/tst-malloc-too-large.c
+@@ -151,7 +151,6 @@ test_large_allocations (size_t size)
+ }
+ 
+ 
+-static long pagesize;
+ 
+ /* This function tests the following aligned memory allocation functions
+    using several valid alignments and precedes each allocation test with a
+@@ -170,8 +169,8 @@ test_large_aligned_allocations (size_t size)
+ 
+   /* All aligned memory allocation functions expect an alignment that is a
+      power of 2.  Given this, we test each of them with every valid
+-     alignment from 1 thru PAGESIZE.  */
+-  for (align = 1; align <= pagesize; align *= 2)
+     alignment for the type of ALIGN, i.e. until it wraps to 0.  */
+  for (align = 1; align > 0; align <<= 1)
+     {
+       test_setup ();
+ #if __GNUC_PREREQ (7, 0)
+@@ -264,11 +263,6 @@ do_test (void)
+   DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+ #endif
+ 
+-  /* Aligned memory allocation functions need to be tested up to alignment
+-     size equivalent to page size, which should be a power of 2.  */
+-  pagesize = sysconf (_SC_PAGESIZE);
+-  TEST_VERIFY_EXIT (powerof2 (pagesize));
+-
+   /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.
+      in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.
+